Virus Signature

Glossary In the antivirus world, a signature is an algorithm or hash (a number derived from a string of text) that uniquely identifies a specific virus. Depending on the type of scanner being used, it may be a static hash which, in its simplest form, is a calculated numerical value of a snippet of code unique to the virus. Or, less commonly, the algorithm may be behavior-based, i.e. if this file tries to do X,Y,Z, flag it as suspicious and prompt the user for a decision. Depending on the antivirus vendor, a signature may be referred to as a signature, a definition file, or a DAT file.

From Mary Landesman

Free antivirus Avast was updated! version 4.7

Incremental updates: iAVS is a fast, small, incremental and fully automated update via the Internet. Updates are released at least twice a week.
The latest iAVS update was published on: 11.12.2007, version: 071211-0

No reinstallation of the program is needed for virus database updates!

If you are connected to the Internet, updates are downloaded and installed automatically without any need for user action. The presence of a new version on our servers is checked when the Internet connection is established, and every four hours afterwards. Please download the following file only if you really need it (e.g. if your computer does not have any Internet connection).

Download right now

File Size: 10.00 MB
Dial-up 56Kbit/s: ~ 31 min
DSL/Cable 128Kbit/s: ~ 14 min
DSL/Cable 256Kbit/s: ~ 7 min
DSL/Cable 512Kbit/s: ~ 3 min
T1 1Mbit/s: ~ 2 min

Highest certification results in the latest AV-Comparatives tests for Kaspersky Anti-Virus 7.0

Kaspersky Lab, a leading developer of secure content management solutions, announces that Kaspersky Anti-Virus 7.0 has demonstrated the highest level of reliability and effectiveness of its proactive protection system in a series of tests conducted by AV-Comparatives.org, a respected Austrian antivirus lab. Based on the results, Kaspersky Anti-Virus was awarded the highest certification: Advanced+.
“New malicious programs and viruses appear every day and it is evident that antivirus database updates, even hourly, are not enough to provide users with reliable protection from possible Internet threats. There is always a time “gap” between the appearance of a new threat and the release of an update. So to provide effective antivirus protection it is important to effectively detect new threats,” says the head of the AV-Comparatives lab Andreas Clementy.
AV-Comparatives conducted a series of tests in order to compare the effectiveness of various antivirus solutions' on-demand detection of malicious programs (by the program scanner). This method makes it possible to estimate the effectiveness of the heuristic analyzer, one of the components of the proactive protection system. The testing included 17 antivirus products for home users with antivirus databases that were dated August 5, 2007. The sample of malicious programs used in the tests appeared after this date.
Based on the results, Kaspersky Anti-Virus 7.0 was awarded the highest certification—Advanced+, which confirms the program has the highest level of detection of new malicious programs with minimal false positives using the antivirus program's heuristic analyzer. It should be noted that only 1 other products tested was awarded this certification.
“Kaspersky Lab developed and introduced a new heuristic analyzer in it's version 7.0 home user products in the summer of this year. In June 2007 this new module first participated in AV-Comparatives' testing and immediately received the Advanced+ certificate,” says Deputy Director of the Innovation Technologies Nikolay Grebennikov. “This is a long-awaited and very significant assessment of Kaspersky Lab’s work.”
The heuristic analyzer is only one of the components of the proactive protection module included in Kaspersky Lab products. Contrary to most competitors’ products, Kaspersky Lab products provide additional protection: a behavior blocker, which blocks the activity of malicious programs based on their behavior. The effectiveness of this module was also tested by AV-Comparatives in June 2007, with the test developers commenting: “The results of the tests performed with the randomly chosen malicious programs have confirmed the highest protection level and the effectiveness of the behavior blocker, which is awarded the Proactive Protection Award of the AV-Comparatives test laboratory.”
To find out more about the report “Comparison of different malware protection technologies”, or for more information about the Proactive Protection Award, please visit AV-Comparatives.org
About Kaspersky Lab
Kaspersky Lab delivers the world’s most immediate protection against IT security threats, including viruses, spyware, crimeware, hackers, phishing, and spam. Kaspersky Lab products provide superior detection rates and the industry’s fastest outbreak response time for home users, SMBs, large enterprises and the mobile computing environment. Kaspersky® technology is also used worldwide inside the products and services of the industry’s leading IT security solution providers. Learn more at http://www.kaspersky.com/ . For the latest on antivirus, anti-spyware, anti-spam and other IT security issues and trends, visit http://www.viruslist.com/

Last MicroWorld's Virus Alerts

Name :
Win32.Rbot.ewm
Type :
Worm
How it spreads :
Win32.Rbot.ewm spreads via the software vulnerabilities and through network shares.
Prevalence :
Medium
Affected operating systems :
Windows
Aliases :
N/A
Win32.Rbot.ewm is spreads to other network computers by exploiting software vulnerabilities and then it connects to some IRC servers and executes commands from a remote intruder.

Name :
Win32.OnLineGames.dr
Type :
Password Stealing Trojan
How it spreads :
Web downloads
Prevalence :
Medium
Affected operating systems :
Windows
Aliases :
This is a Password Stealing Trojan written in Delphi, primarily targeting Taiwanese MMORPGs. It can also post this stolen information to certain malicious websites.

Name :
Win32.Pakes.bmp
Type :
Trojan
How it spreads :
Win32.Pakes.bmp spreads via the network.
Prevalence :
Low
Affected operating systems :
Windows
Aliases :
N/A
Win32.Pakes.bmp is variant of the Win32.Pakes family of trojans. It exihibits a rootkit functionality and sends spam from a remote server and gathers email addresses from the infected system.

Name :
Win32.Agent.ckj
Type :
Trojan
How it spreads :
Win32.Agent.ckj spreads via the network.
Prevalence :
Low
Affected operating systems :
Windows
Aliases :
N/A
Win32.Agent.ckj spreads via the network. Once the system is affected by Win32.Agent.ckj, it allows a remote intruder to gain access and control over the computer.

Name :
Win32.AdobeReader.b
Type :
Trojan
How it spreads :
Win32.AdobeReader.b spreads via the Internet as a PDF attachment.
Prevalence :
Low
Affected operating systems :
Windows XP
Aliases :
N/A
Win32.AdobeReader.b exploits the Adobe Acrobat Mailto Unspecified PDF File Security Vulnerability to execute malicious code on the computer. Once it executed, the trojan disables the Window Firewall.

MWAV - MicroWorld's Free AntiVirus Toolkit Utility - Download

Shell Open Command Tricks from Mary Landesman

Malware can load from a variety of different places on your PC. In addition to the more common modifications to Windows auto start entry points, malware may leverage the shell open command. This allows it to register itself as the handler for certain file types and thus the virus, worm or Trojan loads when any of these file types are called. (The 2001 Sircam worm was one of the earliest examples of widespread malware using this technique).
Following are the keys typically targeted:
· HKEY_CLASSES_ROOT\exefile\shell\open\command
· HKEY_CLASSES_ROOT\comfile\shell\open\command
· HKEY_CLASSES_ROOT\batfile\shell\open\command
· HKEY_CLASSES_ROOT\piffile\shell\open\command
· HKEY_CLASSES_ROOT\htafile\shell\open\command
· HKEY_CLASSES_ROOT\htfile\shell\open\command
The default value for each of these should be "%1" %*.
If malware has registered itself as the handler, the value would appear similar to the following:
%1 where represents the filename of the malicious program.
When manually attempting removal of a virus, worm, Trojan or other malware that has registered itself as the handler in this manner, you must correct the registry value before you attempt to delete the copy of the malware. Otherwise, when you reboot your system you will not have a valid handler for these file types and the system will not load Windows.
To correct the handler value, replace the contents with:
"%1" %*
Symantec also provides a free tool to reset shell\open\command registry keys.

Storm Trojan - Private Detective Scare

A malicious Trojan is being sent in email claiming the recipient is being spied on and that the password-protected .rar attachment to the message is proof of a previously recorded conversation. The .rar contains an executable file that masquerades as an MP3 music file. In reality, the file is a disguised variant of the Zhelatin family of malware (commonly referred to as the "Storm worm").
The email message body sent by this variant of Zhelatin appears as follows:
I am working in a private detective agency. I can't say my name. I'm warning you that i'm going to overhear your telephone line. Do you want to know who paid for shadowing you? Wait for my next message.
P.S. Of course, you don't believe me. But i think that the record of your yesterday's telephone conversation will change your point. The record is in archive. The password is 123qwe
According to PC Tools ThreatExpert, this latest variant creates a file named "kernelwind32.exe" in the Windows system folder (usually C:\Windows\System32). The registry is modified to load this copy when Windows starts, as follows:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
\CurrentVersion\Run System = "\kernelwind32.exe"
A file named "kernelw.sys" is also dropped to the Windows system folder. This file is a kernel mode rootkit that hides itself and other files and processes associated with the infection. The Trojan also modifies the registry to prevent access to the Windows Task Manager.
Rootkit enabled malware is extremely common these days. To bolster your virus protection, use one or more of these free rootkit detectors to scan your system. From Mary Landesman

Safely Shopping on the Internet

The advantages of shopping online during the Holiday seasonare numerous. You have a world of products at your fingertipsand you don't have to deal with parking hassles, mall crowds,and long lines.
Unfortunately, despite all its benefits, there is one potentialmajor drawback about buying items on the Internet. Accordingto the Federal Trade Commission, in 2005, an estimated $300+million was lost to online schemes. Smart cyber-shoppersshould research any web site that they want to transact withbefore buying something.
One of the first steps you should consider taking is to upgradeto McAfee Total Protection(TM) with SiteAdvisor(TM) Plus, if youdon't already have it. In addition to getting more PC security,SiteAdvisor Plus will provide you with web site safetyratings and help you avoid fake e-stores that just want tosteal your credit card number.
Safety ratings are based on automated safety tests of websites and are enhanced by feedback from our volunteer reviewersand insights from our own analysts. McAfee SiteAdvisor hastested over 95% of the sites on the Internet.
Also, you should look for the HACKER SAFE(R) icon on thee-store's home page. HACKER SAFE technology protects over75,000 web sites. Seeing the HACKER SAFE icon providesshoppers with the confidence of the most trusted e-commercesecurity seal in the world.
To be a smart online shopper this holiday season, you needto adhere to a few basic dos and don'ts when purchasingfrom web sites to avoid becoming a victim of cyber-crime.In addition to the above, consider the following:
Dos
Do pay by credit card. You can dispute purchases madeafter reporting you credit-card number has been stolen orused without your knowledge.
Do use a secure web site*.
Do keep copies of the sales transactions for futurereference in case a dispute arises.
Do check your credit-card statements to make sure you were charged the proper amount and that no "extras" were added.
Do check the site's privacy policy before you order.
Do purchase comprehensive computer security software like McAfee Total Protection with SiteAdvisor Plus to protect you whenever and wherever you go online.

* = Secure sites have a key or closed lock displayed in theweb browser. Of course, you should also look for the HACKERSAFE icon. Another way to confirm a site is secure, check ifthe web address (URL) on the page begins with "https" insteadof just "http." Please note, these efforts can be spoofedby cyber criminals.
Don'ts
Don't send cash. Pay by credit card because you're protected.
Don't send any financial information via email. It is not a safe method for communicating this sensitive information (credit-card or Social Security numbers).
Don't forget to read the return policy and other terms.
Don't buy from a site you don't feel absolutely comfortable with. If you sense something is just not right about the company you are ordering from, then don't make a deal.
Don't forget to inspect your new product as soon as it arrives. Notify the seller as soon as possible if there is a problem.